Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday 31 August 2010

Final reminder: Paragon competition

Just a note folks, the competition ends today, so if you're taking part in the competition (i.e. haven't went straight for the PTAC instead), get those entries in;

http://forum.hosts-file.net/viewtopic.php?f=27&t=2077

Sunday 29 August 2010

Full Circle Magazine: Issue 40

It’s hard to believe, but we’re already at issue 40! We’ve got a lot of great stuff for you in this issue, including a spiffy new logo redesign by Thorsten Wilms. You might also notice a slight font change-that’s the new (official) Ubuntu font.


This month:

- Command and Conquer.
- How-To : Program in Python – Part 14, Virtualize Part 3 – OpenSolaris, and ADSL Modem As A Switch.
- Review – SOFA Statistics.
- Top 5 – Favourite Apps.
- plus: MOTU Interview, Ubuntu Games, My Opinion, My Story, and now with all new LoCo and Translation Team interviews!


Read more
http://fullcirclemagazine.org/2010/08/29/weve-got-issue-40-and-a-new-logo-for-you/

Get it while it's hot!
http://fullcirclemagazine.org/issue-40/

Issues 0 - Current
http://fullcirclemagazine.org/downloads/

Forums:
http://ubuntuforums.org/forumdisplay.php?f=270

Wiki:
http://wiki.ubuntu.com/UbuntuMagazine

Wednesday 25 August 2010

Evil network: Sagade Ltd / ATECH-SAGADE AS6851 (85.234.190.0/23)

I've mentioned Sagade Ltd before, it's a totally Black Hat Latvian network that should be blocked on sight. Google's Safe Browsing diagnostic for this range is fairly damning:

....

There's very little point playing whack-a-mole with these Latvian IP addresses. It's probably worth null-routing the entire country until some government agency that isn't being paid off by Russian organised criminals sorts the mess out. There's a list of major Latvian IP address allocations here- unless you do business in the Baltic states, then blocking all of them will probably do no harm.


Read more
http://blog.dynamoo.com/2010/08/evil-network-sagade-ltd-atech-sagade.html

For those not already aware, this particular /23 is part of the BKCNET (AS6851) range.

Related

Evilness: Sagade Ltd / ATECH-SAGADE
http://blog.dynamoo.com/2010/05/evilness-sagade-ltd-atech-sagade.html

Competition reminder: Less than 1 week left!

Just a reminder for those of you taking part - there's less than a week left to get your comments and suggestions finalised and posted!

http://forum.hosts-file.net/viewtopic.php?f=27&t=2077

Evil network: Latnet Serviss Ltd (latnet.lv) AS2588 (159.148.117.0/24)

Latvia is definitely becoming a problem when it comes to black hat hosting. The 159.148.117.0/24 range (159.148.117.0 - 159.148.117.255) is another malicious block, forming part of AS2588 belonging to Latnet (similar to microlines.lv). At a rough calculation, roughly half the IP address ranges I am currently blocking are based in Latvia.

This bunch of domains is a mix of fake pharma sites, browser exploits, illegal downloads and possibly some hijacked domains. In any case, there is nothing of use here and either blocking the entire IP range, or the list below is probably a good idea.


Read more
http://blog.dynamoo.com/2010/08/evil-network-latnet-serviss-ltd.html

Friday 20 August 2010

De-listings: AdvancedDefrag.com and MessengerPlus

AdvancedDefrag.com has now been de-listed, after a test of their latest version showed it no longer met the inclusion criteria (the major improvement to their software is that their trial version, is actually a trial now, not a demo).

After years of bundling the Swizzor trojan (created by Patchou so I'm told), Patchou/Yuna Software, have finally removed Swizzor from their MessengerPlus installer. This removal came after years of Patchou's telling everyone the AVs and other security companies were in the wrong, and their detections were F/P's.

Although it's taken years, the most important thing, regardless of the fact neither Yuna Software nor Patchou (inclusive of absolutely no mention of this removal on any of their sites) have seen fit to mention it, is that it's been removed. MessengerPlus does still bundle third party software, but instead of a trojan, they're now bundling the Ask.com rubbish. Because of this removal, I've now removed all of the following from the hpHosts blacklist;

download.msgplus.net
download.msgpluslive.net
files.msgplus.net
files.msgpluslive.net
mirror1.msgpluslive.net
mirror2.msgpluslive.net
mirror3.msgpluslive.net
mirror4.msgpluslive.net
mirror5.msgpluslive.net
mirror6.msgpluslive.net
mirror7.msgpluslive.net
msgplus-update.net
msgplus.com
msgplus.net
msgpluslive-update.net
msgpluslive.be
msgpluslive.cl
msgpluslive.co.uk
msgpluslive.com
msgpluslive.com.pt
msgpluslive.com.tw
msgpluslive.de
msgpluslive.dk
msgpluslive.ee
msgpluslive.es
msgpluslive.fr
msgpluslive.it
msgpluslive.net
msgpluslive.nl
software.msgpluslive.net
stats.msgplus-update.net
www.msgplus-update.net
www.msgplus.com
www.msgplus.net
www.msgpluslive-update.net
www.msgpluslive.be
www.msgpluslive.cl
www.msgpluslive.co.uk
www.msgpluslive.com
www.msgpluslive.com.pt
www.msgpluslive.com.tw
www.msgpluslive.de
www.msgpluslive.dk
www.msgpluslive.ee
www.msgpluslive.es
www.msgpluslive.fr
www.msgpluslive.it
www.msgpluslive.net
www.msgpluslive.nl


For reference regarding MessengerPlus;

http://forums.malwarebytes.org/index.php?showtopic=57081

It's worth noting, they actually removed it a few months ago - for those with a newer version of Windows, or those with WLM (Windows Live Messenger (aka MSN Messenger)) already installed, but Swizzor was still installed if you didn't already have MSN (aka on a brand new install of XP - an OS that a very large proportion of people are still using, and indeed, still prefer to use).

Friday 13 August 2010

Service interruption

Just a note folks, the server housing surl.co.uk, avantbrowser.com, forum.avantbrowser.com and it-mate.co.uk amongst others, is unreachable at present. I'm trying to get through to the host to find out what's going on as I can't reach Anderson (servers owner) at present.

Checking a few other IPs on the same /24 suggests this may actually be a problem internal to the superb.net network. I'll update when I know more.

/edit 04:06

Servers back up again. Still no idea what happened though as I was stuck in a queue :o(

Thursday 12 August 2010

Fake DNSBL uncovered: nszones.com

Spamhaus has uncovered a fake spam filter company which was pirating and selling DNSBL data stolen from major anti-spam systems including Spamhaus, CBL and SURBL, republishing the stolen data under the name "nszones.com".

Nszones operates a 'remove your IP' scam charging naive internet users to be removed from the pirated nszones DNSBLs. Nszones also attempts to sell 'commercial subscriptions' to the pirated nszones DNSBLs.

Owned by Liberian-registered Aegeas Enterprises S.A., based in Greece, nszones.com was discovered pirating DNSBL data via rsync from Spamhaus, CBL and SURBL and republishing the pirated data under the hostnames 'bl.nszones.com, sbl.nszones.com, dyn.nszones.com and ubl.nszones.com' which nszones.com was then selling as its own work. Secret seed data which Spamhaus inserts into Spamhaus DNSBL zones to catch data pirates was found in bl.nszones.com, sbl.nszones.com and dyn.nszones.com.

Similarly, the whitelist wl.nszones.com contains data verified to have been wholly pirated from DNSWL.org.


Read more
http://www.spamhaus.org/organization/statement.lasso?ref=8

See also;

http://www.dnsbl.com/2010/03/beware-fake-blacklist-at-nszonescom.html

Wednesday 11 August 2010

fSpamlist.com server

Just a note folks. This morning, the PSU in the fSpamlist server decided to die, having popped in a replacement it appears the death decided to cause some corruption whilst it was at it.

I've got the machine running a check on the partitions as I write this, and hope to have the server back online within the next few hours. In the meantime, please accept my apologies.

/edit 09:19

The server is now back online.

Competition: 15 licences to give away!

Like free? Like Paragon Software products? Good!

I am pleased to announce, with special thanks to Paragon Software, I've got 15 licences to give away for their Virtualization Manager 2010 Professional software.

So what do you need to do? Well, all you need to do, is try Go Virtual, which is the free version of VM 2010 Professional, and post your findings regarding it (thinks you like, things you don't, what could be improved and how etc). That's all there is to it, nice and simple.

Where do you post your thoughts and suggestions? To the hpHosts forums of course!;

http://forum.hosts-file.net/viewtopic.php?f=27&t=2077

The competition will run until August 31st, and the winners chosen by myself. Please note, you'll need to be registered on the hpHosts forums to take part.

If you'd like a licence for VM 2010 Pro, but don't want to take part in the competition, all Paragon Software have asked, is that you join their PTAC (Paragon Technology Advisory Council).

http://www.paragon-software.com/partners/ptac/

Tuesday 10 August 2010

HostExploit: Cybercrime goes to Wall Street

Those of you investigating cybercrime will already be aware of eNom/DemandMedia and their involvement in such, and I'm pleased to announce the publication of a report concerning AS21740 and their involvement in cybercrime, by HostExploit.

As part of a series of reports on ‘Cybercrime USA’, HostExploit presents a detailed analysis on Demand Media/eNom’s position as #1 Bad Host in the HE Index of comparative Internet badness. Research published in our recent Q2 2010 Top 50 Bad Hosts and Networks Report shows AS21740 Demand Media/eNom topping the HE chart by serving and distributing internet badness through: botnets, spam, Malware, infected web sites, and exploit serving. Out of the known 34,738 publicly reported ASes (servers), Demand Media/eNom is shown to be #1 for Internet badness and #1 abusive Registrar.

To demonstrate how the Internet badness served by Demand Media relates to other known centers of badness, we introduce in this report “The McColo Standard of Cybercrime”, whereby scores on our HE Index are illustrated in an easy to understand format and in comparison to how McColo would have fared using this system. A score of 4 to 5 on the HE Index is an average of all ASes. Much to our surprise, both Demand Media and McColo (using retroactive data from October 2008) scored around 270 indicating high levels of Internet badness. This placed Demand Media firmly in the #1 position on the HE Index.


Read the full article, and download the report at;

http://hostexploit.com/blog/14-reports/3516-cybercrime-goes-to-wall-street.html

Friday 6 August 2010

Eset: Support scams on the rise

Many have been writing about this topic lately, including myself and not surprisingly, as quick as we're having the domains and IPs nuked, they're bringing up new ones. My good friend David over at Eset, has thrown a ton of information together for you to digest - and if you've got time spare (or perhaps, meet with other parents when taking the kids to school or whatnot), see if you can have a competition with each other as far as who can warn the most people (offline of course, as these are primarily, telephony based scams).

Part 1:
http://blog.eset.com/2010/08/06/support-scams-on-the-rise-1

Part 2:
http://blog.eset.com/2010/08/06/support-scams-on-the-rise-2

PegasHosting: They love me, they really love me!

Checking up on the A records for Pegas, I noticed something that seemed odd. The NS records for ns1.pegas-dns.org were pointing to ns1.hosts-file.net and ns2.hosts-file.net - but this obviously isn't right (for starters, there are no ns1 and ns2 on the hosts-file.net DNS, and secondly, I own hosts-file.net).

Thinking it could've just been a quirk or some such, with the site I was using to do the check, I decided to verify it using Robtex and low and behold - the same results;



Seems the A records for pegas-dns.org and ns2.pegas-dns.org are the same as ns1. I'm still curious as to why (they've got a sense of humour perhaps?) ..... answers on a postcard!

References

PegasHosting: Where are they now?
http://hphosts.blogspot.com/2010/07/pegashosting-where-are-they-now.html

PegasHosting range null-routed
http://hphosts.blogspot.com/2010/07/pegashosting-range-null-routed.html

Thursday 5 August 2010

Microsoft: Security Bulletin - Advanced notification

I hope you chaps and chapesses have some free time on the 10th, as you've got 14 bulletins to contend with, and the vast majority require a reboot. Most are for Windows, but as usual, there's other stuff thrown in such as Silverlight and Office.

Those of you looking after networks will already be using something like WSUS to manage these, so just skip straight to the info itself.

If you're a regular home user, Microsoft Updates** will do it for you, but obviously, ensure you've done a backup BEFORE installing these*, so you've got something to go back to if it all goes pear shaped.

You can find the advanced notification at;

http://www.microsoft.com/technet/security/Bulletin/ms10-aug.mspx

* You can do backups either manually, or a crude backup with System Restore or some backup software. Ideally, you'll be doing an image backup (either drive image or partition image, whichever you prefer), and images can be done using either something like Paragon's Backup & Recovery Free Edition or open source alternatives such as CloneZilla.

** Note: Microsoft Update is NOT the same as Windows Updates. The latter of the two only deals with Windows updates, Microsoft Update covers ALL Microsoft software, if you've not told Windows Updates to switch to Microsoft Update yet - do it (linky here)

Wednesday 4 August 2010

Full Circle Magazine: Issue 39

I'm a bit late in posting this but, better late than never.

That’s right, Full Circle issue 39 is out! We’ve got a review of the iRobot iPad Android tablet, talk about virtualizing Fedora, virtual memory, new interviews, and more! (Oh, and we seem to have the recurring theme of ’13′ in our articles.)

This month:

- Command and Conquer.
- How-To : Program in Python – Part 13, Virtualize – Fedora 13, and Understand Virtual Memory.
- Review – iRobot iPad.
- Top 5 – Documentation Sites.
- plus: MOTU Interview, Ubuntu Games, My Opinion, My Story, and now with all new LoCo and Translation Team interviews!

Download it here, as always.

(P.S. We just overhauled the back end of the site. If you’ve made an account or comment within the last 36 hours, it may have disappeared. Plus, f anything seems awry to you, please, let us know! Thanks!)


Read more
http://fullcirclemagazine.org/2010/07/30/weve-got-issue-39-out-for-you/

Get it while it's hot!
http://fullcirclemagazine.org/issue-39/

Issues 0 - Current
http://fullcirclemagazine.org/downloads/

Forums:
http://ubuntuforums.org/forumdisplay.php?f=270

Wiki:
http://wiki.ubuntu.com/UbuntuMagazine